Experts see critical flaws in India's draft data protection law

Yesterday, Supreme Court lawyer Prasanna S. tweeted about how, in the course of the worst riots in Delhi in decades, a mob reportedly targeted Muslim-owned vehicles for arson by first looking up their licence plate numbers on a government database.

Curious to see if personal data could be traced so easily, I found the vehicle registration database online and keyed in my car's number plate. A second later, my name popped up. Three other similar searches also revealed the owners' names.

Last July, India's Minister for Road Transport and Highways Nitin Gadkari told Parliament the government had sold access to information on vehicle registration and driving licences to 87 private and 32 government entities for about 650 million rupees (S$ 12.7 million).

It is not clear if, or how many, rioters used the vehicle database to target vehicles, or whether they used the government website or other private apps that hold the data. But it is clear that this state-held personal data is easily accessible, underscoring India's critical need for a data protection law.

"India is building several national databases and registers which are collecting citizens' information without any safeguards… As a country which upholds constitutional democracy, we urgently need a data protection law to uphold the right to privacy," said Mr Srinivas Kodali, a data security expert based in Hyderabad.

India has been discussing such a law since 2017, when the Supreme Court said privacy was a fundamental right and told the government to set up a data protection regime.

The Ministry of Electronics and Information Technology set up a committee to draft a data protection Bill, and last December, the government introduced a version of this Bill in Parliament. It is now being reviewed by a parliamentary committee.

On Tuesday, as some parts of Delhi were engulfed in flames amid religious violence over changes to the law that clears the path to citizenship for non-Muslim migrants, the deadline for public feedback on the draft data protection law expired.

The draft law seeks to regulate how the data of Indian users is collected, stored and used by private firms and the government. For the first time, Indian law would require technology companies to seek permission from their users to collect personal data.

But privacy advocates and firms say the draft has serious shortcomings. One concern is a provision allowing the government to exempt any of its agencies from following the law for reasons including "the interest of sovereignty and integrity of India" and "friendly relations with foreign states".

Mozilla, which operates the Web browser Firefox, has said this provision "leaves the current legal vacuum around India's surveillance and intelligence services intact, which is fundamentally incompatible with effective privacy protection".

The draft law would also allow the government to process a person's data without his consent for "reasonable purposes", such as credit-scoring, and even during "any breakdown of public order".

Access Now, a United States-based digital rights advocacy group that has researchers in India, cautions: "Such broad, undefined language, especially in the background of deployment of mass facial recognition and other technologies, creates concern, and may lead to the mass surveillance of users."

The draft law also requires companies holding sensitive personal data of its users - biometrics, health and financial data, and details such as caste, religion and sexual orientation - to store a copy of the data in India. Critical personal data, a term not yet defined, is required to be stored only inside the country.

The Software Alliance, an industry group that includes companies such as Microsoft and IBM, says the use of these terms could confuse consumers and businesses, "disrupt companies' operations and increase the costs of providing services in India".

Companies and activists say the proposed data protection authority does not seem independent enough from the government. A rule that requires social media companies to do "voluntary identity verification" of their users, they say, needs more blocks to prevent misuse of such data.

They also fear that while companies have to hand over "anonymised" personal data to the government when asked, there are not enough protections against possible leaks, creation of super-databases or possible surveillance.

Mr Apar Gupta, director of the Internet Freedom Foundation, a Delhi-based advocacy group, said the draft law reflects the government's desire to put security and fiscal interests above privacy.

The law "will refine, store and then trade the personal information of Indians without their control; (this data is) open for sale or open for appropriation to the interests of securitisation or revenue maximisation, with minimal levels of protection", said Mr Gupta.

On Wednesday, following fears of rioters tracking car number plates to owners, Mr Gupta's organisation wrote to the transport ministry asking it to restrict public and private access to its vehicle registration database. It also asked the ministry to stop setting up databases which could share personal information without any meaningful consent.

The ministry has yet to respond.

A version of this article appeared in the print edition of The Straits Times on February 28, 2020, with the headline 'Experts see critical flaws in India's draft data protection law'. Print Edition | Subscribe